Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Open Source Linux

Greg Kroah-Hartman Rejects Apology from University of Minnesota Researchers (kernel.org) 140

Saturday University of Minnesota researchers emailed the Linux kernel mailing list apologizing for submitting buggy code as part of a research project to see whether it would be accepted.

Late Saturday night, the kernel team's Greg Kroah-Hartman replied: Thank you for your response.

As you know, the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.

Until those actions are taken, we do not have anything further to discuss about this issue.

thanks

This discussion has been archived. No new comments can be posted.

Greg Kroah-Hartman Rejects Apology from University of Minnesota Researchers

Comments Filter:
  • Good decision (Score:5, Insightful)

    by Aubz ( 7986666 ) on Sunday April 25, 2021 @04:56PM (#61312916)
    This is the correct attitude. Linux is not a plaything for arrogant Sheldon Cooper clones to screw with. How many of the worlds servers use Linux? You want to mess with it to see what happens? Seriously?
    • Re:Good decision (Score:5, Interesting)

      by lessSockMorePuppet ( 6778792 ) on Sunday April 25, 2021 @05:06PM (#61312936) Homepage

      They could've just got their own. Heck, they could've set up their own fork, patch review team, and tried to fool them.

      But no, they decided to break someone else's toys.

      • I suspect that this is deeper than grad students testing Linux codebase integrity. I want to know who ultimately funded this research. I suspect that the answer to that question may be unpleasant. "Follow the feedbag"
      • by colfer ( 619105 )

        UMinn already has gopher, the browser before www.

        • by Megane ( 129182 )
          You mean the protocol that hasn't been relevant for over two decades? The people who submitted those patches were toddlers back then. Except for the profs, who would have been students then, but not likely at UMinn. I would say there is no more connection between the UMinn of now and then, than between their football teams of the same eras.
          • by colfer ( 619105 )

            Somebody else already said it more funnily than me, elsewhere in this discussion, as it turns out.

      • by Mitreya ( 579078 )

        Heck, they could've set up their own fork, patch review team, and tried to fool them.

        Yes, but the study is about flaws in patch review process. Setting up their own, would just be testing their own review team and not the real thing. It really puts the "no human subjects" IRB exemption they managed to get into perspective.

      • I'd say it's worse than that. They specifically chose the Linux kernel because it's the biggest and most well known project, hence giving them the most "street cred", completely disregarding the question of potential damage.

        A lot of research in subjects like psychology require the subject to be unaware of being a subject and hence there are well known guidelines related to damage mitigation the subjects being unaware is required for the experiment. A good example of this is the Milgram experiment where t
        • Typically, experiments which require the subjects' active participation also require the subjects' permission. They usually don't tell the subject exactly what's being studied since that could alter the results but they don't compel the participation of unwitting and unwilling people.

          The Milgram experiment demonstrates this: the subject is deceived about their role in the experiment but accepts payment to participate in the experiment.

          The modern "white hat" hacker movement often crosses this ethical boundar

    • Yeah, permanent banhammer imo. You shouldn't even think of messing with the Linux codebase.
      • Re: Good decision (Score:5, Insightful)

        by klipclop ( 6724090 ) on Sunday April 25, 2021 @07:21PM (#61313334)
        Not only that, but these "researchers" names will forever be associated with this lazy research topic and how they went about it. If they ever applied to any position I'm reviewing and found out, at the best I'd have some very hard questions to ask them (to make sure they won't pull that crap internally) or at the worst I'd toss their application into the bin.
        • by Mitreya ( 579078 )

          Not only that, but these "researchers" names will forever be associated with this lazy research topic and how they went about it.

          They got a top-tier publication out of this. So far, I think most of the damage and extra work has landed on other people.

          If they ever applied to any position I'm reviewing and found out

          Many conferences have a double-blind submission process (i.e., authors are anonymous during review).

          • by TWX ( 665546 )

            A top-tier publication might well be just a flash-in-the-pan. Could be the last thing of notoriety that they do when it comes to OS kernels.

      • Exactly and a wise comment!!!
    • by ron_ivi ( 607351 ) <sdotno@NOSpAM.cheapcomplexdevices.com> on Sunday April 25, 2021 @05:08PM (#61312948)

      I'm betting their Research Project is continuing....

      They're probably using that apology letter to try to answer questions like:

      * How susceptible is the Open Source Community to lame excuses from organizations that try to sabotage their work?

      * How vulnerable is the Open Source Community to letting rogue organizations inject more defects just by changing the personnel of the people submitting compromising patches?

      * Can groups that want back doors in Linux (hackers, government groups, etc) just switch the names of contributors and get to add more backdoor attempts even after their first people are banned?

      The only way the Linux community can come out looking secure in the university's final research papers is to be extremely strict in the conditions of their return to the community.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        These are foreign actors [github.io], sponsored by the PRC and need to be removed immediately:

        "I am a Ph.D. student in the Computer Science & Engineering Department at the University of Minnesota, advised by professor Kangjie Lu. I received my undergraduate B.A. in the Information Science & Engineering Department of the University of Science and Technology of China in 2018."

      • Re: (Score:2, Insightful)

        by AmiMoJo ( 196126 )

        If an attacker really wanted to sneak bad code in they would not just change the names on the patches, they would change the organisation too. Banning an entire university is kinda pointless, if someone there wants to submit patches they will just send them from a Gmail account instead of a .edu one.

        The kernel people seem to understand this and their issue is more being pissed off at having their time wasted then security.

        • by retchdog ( 1319261 ) on Sunday April 25, 2021 @05:55PM (#61313080) Journal

          wasting the time of people who otherwise might be working, at least indirectly, on security is a security issue.

        • by gweihir ( 88907 ) on Sunday April 25, 2021 @08:44PM (#61313578)

          True. There is value in making it entirely clear that anybody caught will get banned though. For example, the NSA does depend on being able to submit patches to keep the US economy safe. If they have to fear getting blocked in that, their incentives to try active sabotage get reduced significantly. For that to work the threat has to be credible and the ban has to be enforced, even if it was just stupid no-ethics researchers this time.

        • by Jason Earl ( 1894 ) on Sunday April 25, 2021 @09:57PM (#61313784) Homepage Journal

          Even with credentials from the University of Minnesota these people were not able to get their patches into the kernel. What makes you think that random hacker would have an easier time?

          The reality is that this sort of thing works like a web of trust. The University allowed researcher to abuse that trust in their name, and now everyone associated with that institution is seen as less trustworthy. This is precisely how it should work. The folks vetting these patches can't know everyone, and no one can really audit every line. That means that they have to be able to trust people that they don't know. The solution of course, is a web of trust. It is very likely the reason that this code wasn't rejected out of hand was that someone assumed that researchers at the University of Minnesota could be trusted not to be malicious actors. The folks safeguarding the Linux code don't know everyone at the University of Minnesota, but they probably knew someone, and they trusted the group not to pull this sort of prank.

          And now that is simply not the case.

          It wasn't only these two researchers either. There were professors that had to have approved this research, and other colleagues that knew about it and didn't warn their colleagues outside of the university. This prank has officially burned the reputation of everyone that has ever worked under a umn.edu email address.

          Don't get me wrong, this is still exciting research. It is just the sort of research that gets everyone involved banned as pariahs for time and all eternity. The other folks working on the Linux kernel simply can not afford to be merciful in this case. Even if they had made this commits "on accident" then the mere fact that they were this poorly done would raise red flags for future commits. The fact that they did this on purpose and that other people knew about it and thought it was a good idea just means that they are completely untrustworthy.

          If I were a student at umn.edu I would be furious. I can't imagine what the people running this research group were thinking.

          • The fact that this pile of drivel was written by a member of their Charkes Babbage Institute is itself damning: https://seattle.bibliocommons.... [bibliocommons.com]
          • by Mitreya ( 579078 )

            It wasn't only these two researchers either. There were professors that had to have approved this research, and other colleagues that knew about it and didn't warn their colleagues outside of the university.

            Specifically, they also got this through IRB review approval by claiming "no human subjects" exemption.

            Don't get me wrong, this is still exciting research.

            Ironically, the ethically solid parts (like reviewing and analyzing prior bugs or describing the proposed patch threat) were the best part anyway.

      • by Dutch Gun ( 899105 ) on Sunday April 25, 2021 @07:15PM (#61313322)

        Here's the part I have a real problem with:

        * Our recent patches in April 2021 are not part of the “hypocrite commits” paper either. We had been conducting a new project that aims to automatically identify bugs introduced by other patches (not from us). Our patches were prepared and submitted to fix the identified bugs to follow the rules of Responsible Disclosure, and we are happy to share details of this newer project with the Linux community.

        So they're apparently still claiming that their April patches, which introduced security issues just like the "hypocrite commits" did, and were overseen by the same professor, were not done deliberately. Seriously? I'm sorry, but at this point, I don't believe them. That's the problem with lost trust. How does anyone reasonably assume it was anything except deliberate now, given what they've done? Even if they weren't deliberate, then they were incredibly incompetent. You can't really have it both ways.

        It still feels to me like they're whitewashing this, trying to protect this grad student when he stuck his foot in his mouth and claimed innocence, going so far as to attack Greg Kroah-Hartman for his "preconceived biases."

        • by gweihir ( 88907 )

          Just ban them and rip _everything_ out they ever contributed. That grad student can go was dishes as a career as far as I am concerned. The organization may eventually get un-banned again if they cut out the cancer mercilessly and credibly. And I mean getting rid of that professor as well.

        • by Monoman ( 8745 )

          So basically a group of people from an organization decided it would be ok to attack the system without permission. Why is nobody pressing charges?

          If they did this to a commercial product/service without explicit permission ahead of time I am pretty darn sure there would be some jail time being discussed.

      • by gweihir ( 88907 )

        I'm betting their Research Project is continuing....

        They're probably using that apology letter to try to answer questions like:

        * How susceptible is the Open Source Community to lame excuses from organizations that try to sabotage their work?

        * How vulnerable is the Open Source Community to letting rogue organizations inject more defects just by changing the personnel of the people submitting compromising patches?

        * Can groups that want back doors in Linux (hackers, government groups, etc) just switch the names of contributors and get to add more backdoor attempts even after their first people are banned?

        The only way the Linux community can come out looking secure in the university's final research papers is to be extremely strict in the conditions of their return to the community.

        Very true. And it is entirely possible there are some of the usual evil forces (for example from the US intelligence community) exactly trying to answer these questions for their own use and as preparation to get well camouflaged backdoors in there. They would be using these "researchers" that apparently do not understand professional ethics at all as a front and guys to take the fall when discovered.

        Personally, I would require a sworn statement form all "researchers" involved that this was only their own b

        • Follow the money. The idea of research chumps had to have crossed the minds of the kernel developers. Good thought!

          Nothing short of full disclosure has any chance of getting the chumps past this mess.

      • by tlhIngan ( 30335 ) <slashdot&worf,net> on Monday April 26, 2021 @03:54AM (#61314426)

        Look, the university and these people benefited from screwing over the Linux community with their tests. The benefit was the publication of their paper. It may not be a monetary benefit, but it's a prestige benefit - the authors and the university get greater recognition in the academic community because of this work.

        The apology did not seem sincere. It was just a post to the LKML. I do not see how the damage they caused during their experiments, plus the benefit they themselves plus the university got is made up by this one post.

        A handwritten apology letter sent to the Linux Foundation and Greg would've been the bare minimum to than what was basically a no-effort post And by bare minimum, I mean "I'm a poor student and really cannot do anything more meaningful".

        The damage to Linux should include compensation in some form greater than the amount of work this has caused - all the time and effort that is now spent going through the contributions and reviewing them and all this. It could be a simple cash donation to the Linux Foundation - or maybe it's hardware - some high end Linux PCs for developers.

        It costs real people time and money to fix up the damage they caused, the least they could do is compensate people for that. If UMN really wanted to "make good", how about a 10 year commitment of $500,000 to the Linux Foundation? (That's 5 million dollars, which should be well above compensating the damage, well above whatever benefits they'd get from publishing the paper and well above the prestige obtained from it). I don't care if it comes out of the university's IT budget, or their CS department budget or whatever else. $500K isn't a random number, it's the platinum membership fee at the Linux Foundation.

        It'll sting, but it's not something UMN would suffer too badly from I would think - they're a big university.

        And had there been informed consent, then it's much less of an issue - I'm sure some minor compensation for the extra time and effort would've been sufficient - a few thousand dollars just to keep track of all the patches manually should be more than sufficient.

        Of course, I can't find what Greg wanted as he has hinted. I know it's probably somewhere in LKML but it's a pain to find it.

        • by TWX ( 665546 )

          And had there been informed consent, then it's much less of an issue - I'm sure some minor compensation for the extra time and effort would've been sufficient - a few thousand dollars just to keep track of all the patches manually should be more than sufficient.

          What you're talking about is basically penetration testing. If there had been informed consent then there would be no need for compensation at all, because both parties would have laid-out a groundwork for the test, both parties would have privately shared in the results before the any information was made public, and the Kernel team would have had time to take corrective action prior to results being published. The researchers, be they student-researchers or otherwise, would have been celebrated rather t

        • $500k seems a bit excessive for the damage caused.

          I would say a good remediation would be to offer to hire an independent security developer to review all patches that University of Minnesota wishes to commit as well as 2 other equal sized commits from other users for the next 5 years.

          They should also sponsor a working committee within the Linux Foundation to write a whitepaper on how any organization should approach future white hat operations.

      • I'm betting their Research Project is continuing....

        This is why material efforts need to be made before their 'apology' is accepted. The university should be required to hire an independent security auditor to review all commits by the University for a period of like 5 years. And as penance they also have to fund the security auditor's reviews of an equal number of commits from other users on behalf of the Linux Foundation.

        A probationary period seems appropriate until trust can be returned.

    • Re:Good decision (Score:4, Insightful)

      by AmiMoJo ( 196126 ) on Sunday April 25, 2021 @05:15PM (#61312970) Homepage Journal

      If the contents of this letter public? It's not linked in the summary.

      • I don't think it needs to be public. All the relevant people know the contents, no need to drag problems on in the open.

        • I don't think it needs to be public. All the relevant people know the contents, no need to drag problems on in the open.

          Is this an attempt at irony? The whole platform is supposed to be OPEN, and this transgression was not against a small, select group of people. In the open is exactly where the problems should be.

        • I classify "relevant people" to include not only those involved in the incident but also several other groups.

          - One is the the university's student body, in order to know whether they will need to transfer to another university before graduation in order to pursue their intended career.
          - A second is high school seniors considering applying to the university, in order to know whether they will need to choose a different university in order to pursue their intended career.
          - A third is researchers and ethics boards affiliated with other universities, in order to understand the consequences of violating the code of conduct.
          - A fourth is the admissions staff of other universities, in order to prepare for an influx of transfer students.

      • If the contents of this letter public? It's not linked in the summary.

        I couldn't find it anywhere on the E_mail kernel threads, and lots of other people there are asking as well.

        It might show up a little later, but today it doesn't appear to be public.

    • Re:Good decision (Score:4, Insightful)

      by gweihir ( 88907 ) on Sunday April 25, 2021 @08:36PM (#61313554)

      Indeed. Research is fine, but unethical research (this was human experimentation with subjects that never got asked for consent and no ethical oversight) is not and needs to have drastic negative repercussions for the experimenters.

    • Re:Good decision (Score:4, Insightful)

      by feranick ( 858651 ) on Sunday April 25, 2021 @08:42PM (#61313570)
      It's worse than that. It's unethical, and frankly quite disturbing when someone is doing research on you or your project without your consent. Heck, I am an academic myself with PI status, and I can't literally move a finger until I signs off a statement where I declare the intent of my research when involves humans subjects or behavior. This is either a rogue group at UMN or one has to question UMN practices. GKH stance is absolutely the right move.
  • Agreed (Score:5, Interesting)

    by backslashdot ( 95548 ) on Sunday April 25, 2021 @05:05PM (#61312930)

    They provided steps the university can do to regain trust/redemption .. which seems correct and reasonable to me.

  • by 93 Escort Wagon ( 326346 ) on Sunday April 25, 2021 @05:07PM (#61312942)

    Once again, another move towards their long-term goal of reinstating gopher as the world's go-to internet protocol has been detected and thwarted.

  • by inode_buddha ( 576844 ) on Sunday April 25, 2021 @05:11PM (#61312954) Journal

    I think Greg Kroah-Hartman did the right thing. They were told how to fix the situation, now the ball is in their court. I bet they don't fix anything until the CompSci department starts losing funding.

    What amazes me is that supposedly intelligent people thought this was a good idea. In the "real world" (as opposed to academia) idiot stunts like this get people fired, or jailed. The most generous way I can see it is, what they were really testing was the development process, and not the code (product) itself. And it looks like the process responded just fine.

    • Tests on human test subjects are definitely more the realm of psychology and the more liberal arts facing end of STEM, not computer science and engineering where it's rare for ethics to be any real concern (maybe outside of machine learning with human datasets). Hence there probably wasn't any ethics-related oversight within the whole department, allowing this research to proceed undisturbed despite it's total disregard of ethics.

      Furthermore it also seems like the department has such a high degree of aut
      • by hey! ( 33014 )

        While it's true that social science research more routinely involves stuff you have to clear with an Institutional Review Board (IRB), you don't have to have a PhD in moral reasoning to understand the computer *security* research is an ethical minefield. Anybody who doesn't understand that is not qualified to supervise students doing security research.

        • I didn't mention security research more generally because they do have ethical guidelines in that area that are clear and well understood, particularly in academia and within major corporations. Not that there aren't plenty of people in the infosec space who have a total disregard for those, but they're mostly people working for small, possibly even single-person, companies whose primary mode of communication for their vulnerabilities is twitter.
    • I suspect that the Linux Foundation stated that as long as these researchers continued to be employed by umn.edu that all umn.edu submissions would be sent straight to /dev/null. That's what is almost certainly in the letter that is not part of the public record. These researchers are hoping that an apology can save their careers. So they sent a public apology to LKML knowing that it would be read by the right people. The signs are all there. Let's look at Greg KH's response line by line.

      Thank you for your response.

      For those of y

  • Most of the time (Score:5, Insightful)

    by RightwingNutjob ( 1302813 ) on Sunday April 25, 2021 @05:33PM (#61313020)

    I'm of the opinion that IRB requirements for human social experimentation are wasteful and burdensome. This is an example of where they aren't and would never have signed off if consulted.

    Actively sabotaging critical infrastructure is not acceptable, regardless of motivation.

    • IRBs are bit burdensome. The problem is you don't know if you are in the "unnecessary" category or not until you have gone through an IRB.

    • Wish I had mod points. +5 insightful
  • He thanked them, and reiterated what they need to do to make amends. That is accepting an apology, not rejecting one.

    • Re:Not a rejection (Score:4, Insightful)

      by HiThere ( 15173 ) <charleshixsn.earthlink@net> on Sunday April 25, 2021 @06:08PM (#61313120)

      I wouldn't call it accepting the apology, but rather continuing to leave the door open for them to make an acceptable apology.

    • Re:Not a rejection (Score:5, Insightful)

      by thegarbz ( 1787294 ) on Sunday April 25, 2021 @06:30PM (#61313196)

      He thanked them, and reiterated what they need to do to make amends. That is accepting an apology, not rejecting one.

      I'm not sure how you think the english language works, but accepting an apology would be typically defined as returning to how things were before. Effectively right now things are precisely as they are had the apology not been written.

      Also "he thanked them" ? Seriously dude you need to learn to read in between the lines. When someone signs a formal and dismissive reply with just "thanks" not even with a capital letter, it is generally considered among people who understand the english language to be the exact opposite of thanking someone.

      It was the code of conduct friendly version of "go fuck yourself".

      • I'm not sure how you think the english language works, but accepting an apology would be typically defined as returning to how things were before.

        I don’t think this is accurate at all. There is no “return to the way things were before” requirement in my experience, and in fact this rarely happens if something something is greater than trivial.

        • I'm not sure how you think the english language works

          But this is accurate. How does the English Language work?

        • I don’t think this is accurate at all.

          Then effectively what you're saying is that there's zero point to ever giving an apology? I mean just think about what is going on here.
          a) they were caught
          b) they were told precisely what they needed to do.
          c) they apologised (why would they, they have a plan to go back to how things were)
          d) they were given a professional fuck you and we're still at step b.

          Apologies exist because of a desire to change some outcome. If the outcome hasn't changed the apology was completely and utterly worthless and can in no w

      • If you require that to accept an apology, things must return to how things were, then very few apologies would ever be accepted. In fact, if you cheated me, and then apologized, I would accept that. I cheated a few people when I was younger, but that was stupid, and I'm better now. Maybe you will be better for understanding what you did wrong. But there is no way in hell I would trust you again. That doesn't mean I am saying, "go fuck yourself." It is saying that you lost my trust. Good luck to you,
        • If you require that to accept an apology, things must return to how things were

          That may have been too harsh of a requirement, but the requirement is that things change. Otherwise the apology itself may as well not exist. At this point we can conclude that not only has nothing changed for the company, but by specifically omitting any mention of the apology Greg Kroah-Hartman has shown nothing has even changed in his opinion of the university.

          In no stretch of the imagination can this in any way be considered an acceptance of an apology.

      • When someone signs a formal and dismissive reply with just "thanks" not even with a capital letter, it is generally considered among people who understand the english language to be the exact opposite of thanking someone.

        Quite true. This is one of the complexities of language in general; it's not that in each and every case a lowercase "thanks" would be dismissive, but it's at least common enough to be recognizable. Every language and dialect likely has similar oddities, and they are multiplied by communicating in text. I remember for example reading how when the Japanese say "huh?" it tends to indicate at least a subtle dissatisfaction, whereas in the USA it's nothing more than a lack of understanding. This led to anecdote

    • Greg KH acknowledged that he had received their apology, and then he reminded them that a letter had been submitted to their University outlining what their University and their group had to do in order to regain trust.

      You will specifically note that Greg KH does not outline steps that the researchers themselves can do to repair that relationship. That is a telling omission.

      I suspect that the researchers wrote their apology because the letter that Greg KH mentions demands that the researchers in questi

      • I suspect that the researchers wrote their apology because the letter that Greg KH mentions demands that the researchers in question be fired.

        That would be harsh lol.

  • Or even better U of Minesota can pour all those smart compSci people into completing GNU HURD! ;-)

  • Sign of contempt (Score:5, Insightful)

    by burningcpu ( 1234256 ) on Sunday April 25, 2021 @05:58PM (#61313090)
    I like how he ended the email with a "thanks." That's as close to a "now fuck off" as you're likely to see in professional discourse.
  • by Okian Warrior ( 537106 ) on Sunday April 25, 2021 @06:27PM (#61313178) Homepage Journal

    Here's [kernel.org] an example of two of the changes submitted by Pakki, and the change request indicates that Pakki signed off on the changes.

    (I'd post the code, but I cannot for the life of me figure out how to avoid the slashdot "ascii art" filter.)

    In the 1st case, setting rm to NULL seems like a good idea, except that it's the end of the function, the function will return, so making the assignment to a function argument does nothing.

    In the 2nd case, checking rm for non-NULL seems like a good idea, except that previous code has pro-actively accessed the memory in all cases, so at the point in the code it's known to be non-NULL.

    The statement that these changes do nothing seems to be spot on.

    • The do more than nothing. It adds 2 superfluous instructions to the kernel. And it is "dead" code. Which someone might discover and try to remove. And in any case a potential to introduce future bugs. It also consumes additional processing cycles, unless an optimizing compiler is able to eliminate them. Lets say they are executed. Not a big deal? Thats 2 instructions, not measurable on a single instance. But spread that across billions of linux instances, and it is something a bit more than nothing. If i

      • It also consumes additional processing cycles, unless an optimizing compiler is able to eliminate them.

        Setting a variable to something that's no longer used afterwards is pretty basic thing to optimize away. That's why GregKH went off at the guy, because it was kids stuff that any C programmer would have known was nonsense as a fix; and why either the student's cover story was nonsense, or the student was so incompetent as a programmer and naively trusted his "tool" output.

    • by ledow ( 319597 )

      Seems to me, then, that they have a good case for saying these people are just wasting maintainer's time.

  • They claim that only 3 of their 190 patches were "incorrect" (ie, intentionally buggy). The remaining were legitimate contributions. And you probably wouldn't get to the point of trying to "test the gullibility of the workflow" without having worked with the community long enough to submit some legitimate contributions first.
    • Re:To be fair (Score:4, Insightful)

      by The Evil Atheist ( 2484676 ) on Sunday April 25, 2021 @11:50PM (#61314006)
      To be even more fair, no one except those researchers know when the research really began. If the kernel devs can't trust the researchers, then they can't trust what the paper claims they did or didn't do. So all of their contributions must be subject.

      For people claiming to be security experts, they sure don't seem to understand that security is all about trust and what completely losing trust does for the whole system.
    • Re:To be fair (Score:4, Insightful)

      by mikechant ( 729173 ) on Monday April 26, 2021 @07:33AM (#61314836)

      This is where the *real* cost to the kernel team comes in. They will have to carefully review all 190 patches, maybe reverting and replacing them if there's the slightest doubt. They can't just assume that only three of the patches are bogus, even though that is probably the case - they *have* to check.
      This could waste hundreds of hours of the kernel team's time.
      No wonder they're pissed off.

      • Devil's advocate: Should they not have already used the same amount of care when reviewing the patches in the first place, regardless of whether they're trying to guard against malice OR carelessness? We know how easy it is to get complacent with code review sometimes, especially if you don't have full context.
  • by couchslug ( 175151 ) on Monday April 26, 2021 @09:13AM (#61315250)

    The saboteurs felt entitled to shit in a pool they do not own. Like entitled children they were sorry they were disciplined.

    The kernel is a vitally important asset to humanity, not a toy.

  • It has been reported that many celebrities are coming out actively against Turkey.

    "I really don't like Turkey.", one said.

    When asked to elaborate, "The white is too dry."

    A response that immediately wreaks of racism.

    (which is to say, watch it with the sensationalist headlines)

    GKH didn't "reject", just mentioned again, the steps by which they could come back into the community they attacked. It was a reasonable response, maybe a bit harsh, but considering what happened. You can accept an apol

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...